On July 28th, the European Commission’s Directorate General for Communications Networks, Content and Technology (DG CONNECT) and the United States Department of Health and Human Services (DHHS) announced their agreement on an updated roadmap for the Memorandum of Understanding on cooperation surrounding health related information and communication technologies (the MoU).

The MoU was entered into in December 2010 to demonstrate the shared dedication of EU and US authorities in addressing challenges concerning eHealth/Health IT (‘eHealth’ being the European term for what is typically referred to as ‘Health IT’ in the US). The first roadmap of MoU actions was published in March 2013, and focused on outlining the vision, challenges and scope of two priority areas: ‘International Interoperability’ and ‘eHealth/Health IT Workforce Development’. In December 2015, DHSS and DG CONNECT agreed to add a third priority area to the MoU roadmap, namely ‘Transatlantic eHealth/Health IT Innovation Ecosystems’.


Continue Reading

On July 29, 2016, the Food and Drug Administration’s (FDA) Center for Devices and Radiological Health (CDRH) finalized a guidance framing its enforcement discretion policy regarding Low Risk General Wellness Devices. The Final Guidance largely tracks the draft policy issued in January 2015 (which we previously summarized), but provides more insight into FDA’s thinking,

Last week, the U.S. Food and Drug Administration (FDA) released a draft guidance entitled “Dissemination of Patient-Specific Information from Devices by Device Manufacturers,” which is intended to “clarify that manufacturers may share patient-specific information recorded, stored, processed, retrieved, and/or derived from a medical device with the patient who is either treated or diagnosed with that specific device.”  Such sharing, the FDA believes, “will empower patients to be more engaged with their healthcare providers in making sound medical decisions.”

The draft guidance is timely. Individuals are increasingly using wearable mobile technologies (e.g., trackers, fitness watches, etc.), as well as mobile medical applications and related health software.  Many wearable technology manufacturers are facing increased scrutiny and litigation about the reliability of their products’ assessments (e.g., sleep or exercise trackers).  And there is considerable concern about the security of patient-specific information on such devices.

The draft guidance defines “patient-specific information” to mean “any information unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of a medical device, may be recorded, stored, processed, retrieved, and/or derived from that medical device.” Such information may include, but is not limited to:

  • recorded patient data;
  • device usage/output statistics;
  • healthcare provider inputs;
  • incidence of alarms; and/or
  • records of device malfunctions or failures.


Continue Reading

In prior blogs, we’ve discussed the “team” approach being used by federal agencies to regulate consumer products. Last week, the FTC provided further evidence of the government’s collaborative spirit, through the release of a web-based tool designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to their apps.

According to its press release, the FTC developed this guidance tool in conjunction with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology, Office for Civil Rights, and the Food and Drug Administration, with consideration of the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act  and the Federal Food, Drug and Cosmetics Act.


Continue Reading

Yesterday marks one year since President Obama, launched the $215 million Precision Medicine Initiative (“PMI”) to create new and innovative tools healthcare providers can use to tailor disease treatment and prevention to an individual’s unique characteristics.  More than 40 private and public organizations, non-profit groups, academic institutions, and government agencies gathered this week at the White House to announce plans to accelerate the PMI, focusing in large part on the goal of establishing a large national research participant cohort.  The stated mission of the PMI is:

To enable a new era of medicine through research, technology, and policies that empower patients, researchers, and providers to work together toward development of individualized care.

Precision medicine is a healthcare approach that takes into account differences in individuals’ genes, environment, and lifestyle. Advances in precision medicine give healthcare professionals the tools to tailor treatment to, for example, a person’s genetic makeup, which may transform how medicine is practiced.  Although precision medicine is not currently used in the treatment of most diseases, the PMI is helping fund cross-cutting research to allow more widespread use of precision medicine.

A key element of the PMI are the Data Security Policy Principles and Framework (“Data Security Principles”), which are designed to guide organizations participating in PMI-related activities on the basic obligations of protection for personal privacy.  Developed through a broad collaborative process, the Data Security Principles  set forth the following goals for each precision medicine organization: 1) to identify the organization’s specific data security risks; 2) to protect critical infrastructure services; 3) to detect any cybersecurity event; 4) to respond to detected cybersecurity events; and 5) to recover any impairment due to a cybersecurity event.  The Data Security Principles further suggest that every data security plan should: 1) be participant-centric; 2) ensure that data security is adaptable and updatable; 3) identify risks, prescribe evaluation plans, and establish clear and transparent security protocols; 4) control data while providing adequate access; and 5) responsibly maintain data security.  Additionally, the Data Security Principles support the exchange among organizations of data security  experiences and challenges in an effort to enhance mutual education and understanding of data security risks and methods of protection.


Continue Reading

On February 12, 2016, the Food and Drug Administration (FDA) released a notice of a public workshop and request for comments. The FDA, in collaboration with the University of Maryland Center of Excellence in Regulatory Science and Innovation, is hosting a public workshop titled, ‘‘Building the National Evaluation System for Medical Devices: Using Real-World Evidence

On February 25, the Food and Drug Administration (FDA) will hold a public workshop on Next Generation Sequencing (NGS)-Based Oncology Panels, a highly anticipated program given the recent announcement of a “Cancer Moon Shot” spearheaded by Vice President Biden. FDA recently released a discussion paper for the workshop that hints at the role cloud-based computing and “big data” could play in FDA’s regulatory framework for laboratory-developed tests (LDTs).

In December, FDA launched precisionFDA, a “secure, cloud-based platform where participants can access and share datasets, analysis pipelines, and bioinformatics tools” (previously described on this blog.) The agency has published white papers on the analytical and clinical validation of NGS testing that explore “the potential use of databases as sources of clinical evidence in support of regulatory submissions” that could be used for NGS as well as for “any genetic test” (that is, any of the roughly 60,000 LDTs in use today.)


Continue Reading

Recently, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining the agency’s recommendations for Postmarket Management of Cybersecurity in Medical Devices.  The guidance is applicable to medical devices that contain software (including firmware) or programmable logic, as well as software that meets the definition of a medical device.  The guidance does not

On December 18, 2015, President Obama signed a $1.1 trillion Omnibus spending bill. Among many other things in its 2,009 pages, the bill mandates the creation of a Healthcare Industry Cybersecurity Task Force. The Task Force must be established within 90 days of the bill’s enactment, which is March 17, 2016. Given the fact that the healthcare industry is increasingly a target to hackers, the creation of the task force should be welcome news.

Many, including the Washington Post, dub 2015 as “the year of the health-care hack.” While it is believed that there were over 730 data breaches this year, the seven largest hacks exposed personal records and data corresponding to roughly 193 million people. Over one-third of the breaches — 259 — occurred in the health care sector. Three of the seven largest breaches pertained to covered healthcare entities with large amounts of Americans’ protected health information. Healthcare data hacks are particularly troublesome given the sensitivity of the stolen data. Health data often involves highly personal and private information, including data pertaining to children and minors. Individuals whose medical information has been stolen can be at increased risk for identity theft and medical fraud, causing them not only financial harm, but potentially physical harm as well.

Section 405(c) of the bill requires the Secretary of Health and Human Services (“HHS”) to convene the Task Force in consultation with the Director of National Institutes of Standards and Technology (“NIST”) and the Secretary of Homeland Security (“DHS”). The Task Force will include healthcare industry stakeholders, cybersecurity experts, and any Federal agencies or entities the Secretary deems appropriate to include. In accordance with the bill’s instructions, the Task Force will operate for one year following its creation.


Continue Reading

On December 18, Congress passed and President Obama signed into law a bipartisan budget agreement for federal fiscal year 2016. A package of Medicare changes was included, notably addressing the Meaningful Use penalties facing physicians and other healthcare professionals who bill Medicare (so-called eligible professionals or EPs) under the Electronic Health Record (EHR) Incentive Program.  Under that program’s rules, EPs and hospitals that do not meet Centers for Medicare and Medicaid Services (CMS) requirements for Meaningful Use in 2015 will see their Medicare Physician Fee Schedule payments reduced by 1 percent in 2017.

On October 16, 2015, CMS released a final rule modifying the program’s rules for 2015 through 2017 — the “Modified Stage 2” rules — and final rules for Stage 3.  The rules permit providers who were previously scheduled to be in a Stage 1 EHR reporting period for 2015 to use a lower threshold for certain measures.  Concerns about the ability to meet the Stage 3 requirements drove the push for passage of S. 2425.

The changes to the Meaningful Use requirements in S. 2425 were sponsored by Sen. Rob Portman (R-OH) and Sen. Bob Casey (D-PA).  According to a summary provided by the bill’s sponsors, “an increase in the submission of hardship applications from [meaningful use] requirements in effect for 2015 is expected for reasons beyond providers’ control.”


Continue Reading